HubSpot Video

 

The age of speedy incident reporting regulation is here.  

To minimize disruption from third-party attacks, zero-day vulnerabilities, ransomware, and nation-state threats, regulators around the world are implementing landmark incident reporting standards. Specified goals vary by jurisdiction, but the main aims are to be able to leverage public sector resources in mitigation and attribution, as well as to encourage more robust operational resiliency. 

Security practitioners are racing to meet these standards, which typically require financial firms to notify a government agency within 36 and 72 hours of incident detection. But the recent directive by India’s Computer Emergency Response Team, known as CERT-IN, made headlines around the world for its requirement that firms disclose cyber incidents within just six hours.  
The Shortest Reporting Timeframe Yet 

With the stated goal of improving India’s “cybersecurity resilience and foreign relations,” the directive calls for all corporate and government organizations, service providers, intermediaries, and data centers operating in India to report incidents from major cyberattacks to identity theft, phishing, bots, and fake mobile apps. 

The directive has resulted in some pushback. Several trade associations – including Bank Policy Institute, U.S. Chamber of Commerce, and others – penned a letter to CERT-IN to review the mandate and reconsider the six-hour timeframe.  

Whether or not the six-hour window remains, financial institutions should expect to see more mandated disclosure windows by regulators around the world. Indeed, it is already happening:  

Combined with the operational, financial, and reputational risks of not being prepared for a major cyberattack, these mandates mean that the compliance risks are also increasing. Firms will be in a far better position with regulators if, upon reporting an incident, they can show that they have the situation under control than if they simply report it with no remediation plan. 

Failing to Prepare is Preparing to Fail 

There are several steps financial institutions can take to improve response time and ensure readiness when a crisis strikes.   

1. Develop an effective incident response plan and handling strategies. 

 Incident response plans at financial institutions vary in maturity, but can always be improved. A robust incident response plan will include, but is not limited to: 

    • Procedures on how to identify and detect suspicious activity related to networks, hardware, and other equipment 
    • Roles and responsibilities of the incident response team and all other teams involved 
    • Steps to investigate, contain, remediate and recover an infected system 
    • A contact list with all required information, forms, and timelines for notification of all parties  

2. Practice through tabletop exercises and simulations – again and again 

An incident response plan is only solid if it is regularly tested. Exercises show where the gaps are, in addition to what is working. Fix them and exercise again. It is important to use a wide variety of scenarios in your exercise program. While no simulated scenario will occur exactly in real life, well-designed exercises are often strangely prescient and enable teams to build flexible response plans that can be adapted when a real event hits.  

For example, a public-private exercise in 2007 simulated a pandemic where approximately 40% of the workforce had to go remote. After that exercise, the financial sector came together to build the All-Hazards Playbook, which was then activated in January 2020 at the start of COVID-19. While far more than 40% of the financial sector’s workforce ended up working remotely, the guidelines for how it would work had long been in place, resulting in minimal disruption to the sector.  

3. Share cyber intelligence and knowledge 

Given the ever-changing cyber threat landscape, no one firm can anticipate all threats. Cyber intelligence sharing platforms allow individual firms to leverage what is effectively a distributed sensor network to be alerted to emerging threats so that they can be prepared to both defend and respond quickly. Further, when firms share best practices on how they anticipate, mitigate, and respond to new threats, other firms don’t waste precious cybersecurity resources reinventing the wheel on incident response.  This also applies to understanding what parts of infrastructure fall under the various national-level requirements, especially for multinational firms.  

While many larger organizations have dedicated incident response teams, incident response is an increasingly complex, multi-functional capability that requires careful and coordinated communication across business units, information security and IT, communications, compliance, legal and external parties, and up and down the organization from the front-line analyst to the CEO and board of directors. Finding the time in the diaries to ensure everyone who needs to be involved in a crisis knows what to do before one strikes will save countless hours when it actually does.

The Insight

Rapid-fire cyber incident reporting standards are on the rise around the world, increasing the necessity for firms to be prepared for when cyber attacks hit instead of hoping they won’t. Through developing effective incidence response plans, exercising to practice and find the gaps, and sharing intelligence and knowledge with peers around the world, financial institutions can go beyond simply reporting incidents to assure public agencies that they have the situation well in hand.  

© 2022 FS-ISAC, Inc. All rights reserved.

Europe22-Arts-Sidebar

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More